Only let top admin purge. Fixes #2731 (#2732)

This commit is contained in:
Dessalines 2023-02-14 14:31:04 -05:00 committed by GitHub
parent 25e98064b6
commit 9d7009c772
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 25 additions and 12 deletions

View file

@ -3,7 +3,7 @@ use actix_web::web::Data;
use lemmy_api_common::{ use lemmy_api_common::{
context::LemmyContext, context::LemmyContext,
site::{PurgeComment, PurgeItemResponse}, site::{PurgeComment, PurgeItemResponse},
utils::{get_local_user_view_from_jwt, is_admin}, utils::{get_local_user_view_from_jwt, is_top_admin},
}; };
use lemmy_db_schema::{ use lemmy_db_schema::{
source::{ source::{
@ -28,8 +28,8 @@ impl Perform for PurgeComment {
let local_user_view = let local_user_view =
get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?; get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?;
// Only let admins purge an item // Only let the top admin purge an item
is_admin(&local_user_view)?; is_top_admin(context.pool(), local_user_view.person.id).await?;
let comment_id = data.comment_id; let comment_id = data.comment_id;

View file

@ -4,7 +4,7 @@ use lemmy_api_common::{
context::LemmyContext, context::LemmyContext,
request::purge_image_from_pictrs, request::purge_image_from_pictrs,
site::{PurgeCommunity, PurgeItemResponse}, site::{PurgeCommunity, PurgeItemResponse},
utils::{get_local_user_view_from_jwt, is_admin, purge_image_posts_for_community}, utils::{get_local_user_view_from_jwt, is_top_admin, purge_image_posts_for_community},
}; };
use lemmy_db_schema::{ use lemmy_db_schema::{
source::{ source::{
@ -29,8 +29,8 @@ impl Perform for PurgeCommunity {
let local_user_view = let local_user_view =
get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?; get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?;
// Only let admins purge an item // Only let the top admin purge an item
is_admin(&local_user_view)?; is_top_admin(context.pool(), local_user_view.person.id).await?;
let community_id = data.community_id; let community_id = data.community_id;

View file

@ -4,7 +4,7 @@ use lemmy_api_common::{
context::LemmyContext, context::LemmyContext,
request::purge_image_from_pictrs, request::purge_image_from_pictrs,
site::{PurgeItemResponse, PurgePerson}, site::{PurgeItemResponse, PurgePerson},
utils::{get_local_user_view_from_jwt, is_admin, purge_image_posts_for_person}, utils::{get_local_user_view_from_jwt, is_top_admin, purge_image_posts_for_person},
}; };
use lemmy_db_schema::{ use lemmy_db_schema::{
source::{ source::{
@ -29,8 +29,8 @@ impl Perform for PurgePerson {
let local_user_view = let local_user_view =
get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?; get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?;
// Only let admins purge an item // Only let the top admin purge an item
is_admin(&local_user_view)?; is_top_admin(context.pool(), local_user_view.person.id).await?;
// Read the person to get their images // Read the person to get their images
let person_id = data.person_id; let person_id = data.person_id;

View file

@ -4,7 +4,7 @@ use lemmy_api_common::{
context::LemmyContext, context::LemmyContext,
request::purge_image_from_pictrs, request::purge_image_from_pictrs,
site::{PurgeItemResponse, PurgePost}, site::{PurgeItemResponse, PurgePost},
utils::{get_local_user_view_from_jwt, is_admin}, utils::{get_local_user_view_from_jwt, is_top_admin},
}; };
use lemmy_db_schema::{ use lemmy_db_schema::{
source::{ source::{
@ -29,8 +29,8 @@ impl Perform for PurgePost {
let local_user_view = let local_user_view =
get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?; get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?;
// Only let admins purge an item // Only let the top admin purge an item
is_admin(&local_user_view)?; is_top_admin(context.pool(), local_user_view.person.id).await?;
let post_id = data.post_id; let post_id = data.post_id;

View file

@ -30,6 +30,7 @@ use lemmy_db_views_actor::structs::{
CommunityModeratorView, CommunityModeratorView,
CommunityPersonBanView, CommunityPersonBanView,
CommunityView, CommunityView,
PersonViewSafe,
}; };
use lemmy_utils::{ use lemmy_utils::{
claims::Claims, claims::Claims,
@ -60,6 +61,18 @@ pub async fn is_mod_or_admin(
Ok(()) Ok(())
} }
pub async fn is_top_admin(pool: &DbPool, person_id: PersonId) -> Result<(), LemmyError> {
let admins = PersonViewSafe::admins(pool).await?;
let top_admin = admins
.get(0)
.ok_or_else(|| LemmyError::from_message("no admins"))?;
if top_admin.person.id != person_id {
return Err(LemmyError::from_message("not_top_admin"));
}
Ok(())
}
pub fn is_admin(local_user_view: &LocalUserView) -> Result<(), LemmyError> { pub fn is_admin(local_user_view: &LocalUserView) -> Result<(), LemmyError> {
if !local_user_view.person.admin { if !local_user_view.person.admin {
return Err(LemmyError::from_message("not_an_admin")); return Err(LemmyError::from_message("not_an_admin"));